Newbe needing help

Hi can someone help me please, I have been set the task to configure a
firewall at the company I work for because they are too tight to get a Cisco
engineer in.
I have read as much as I can on the set up and think I have the basics, the
problem is however our ISP router has a outside address of 00.00.00.216 and
the gateway is 00.00.00.222 the address between are the ones we can use, my
question is which address would I use for the firewall, at the moment our
exchange 2000 is using the 217 address,and a internal address, so do I give
the outside address of the firewall the 217? or is there a way to use all
the address range from 217 to 221?
I know this is easy stuff for someone who knows what they are doing. Thanks
for any help in advance.

Advertisements

dances wrote:
> Hi can someone help me please, I have been set the task to configure a
> firewall at the company I work for because they are too tight to get a Cisco
> engineer in.
> I have read as much as I can on the set up and think I have the basics, the
> problem is however our ISP router has a outside address of 00.00.00.216 and
> the gateway is 00.00.00.222 the address between are the ones we can use, my
> question is which address would I use for the firewall, at the moment our
> exchange 2000 is using the 217 address,and a internal address, so do I give
> the outside address of the firewall the 217? or is there a way to use all
> the address range from 217 to 221?
> I know this is easy stuff for someone who knows what they are doing. Thanks
> for any help in advance.
>
>
You might want to double-check those addresses. 00.00.00.xx is not a
valid ip address. Also, can you provide the subnet mask? Then we can
go from there.

Advertisements

In article <voWIb.253$>,
dances <> wrote:
:Hi can someone help me please, I have been set the task to configure a
:firewall at the company I work for because they are too tight to get a Cisco
:engineer in.
:I have read as much as I can on the set up and think I have the basics, theroblem is however our ISP router has a outside address of 00.00.00.216 and
:the gateway is 00.00.00.222 the address between are the ones we can use, my
:question is which address would I use for the firewall, at the moment our
:exchange 2000 is using the 217 address,and a internal address, so do I give
:the outside address of the firewall the 217? or is there a way to use all
:the address range from 217 to 221?

Are you doing peering with your Exchange server? If you are, you are
going to have some difficulties with the configuration.

If you are not doing peering with the Exchange server, then you
can make the PIX outside address any of the addresses from 218 to 221.
Once you have done that, it is easiest to use private IP addresses
internally (i.e., you would renumber your Exchange server internally).
To allow the exchange server to be reached from outside, you would
then configure a static address translation. For example, if the new
internal IP address was 10.0.0.217 you would configure

If you are peering with the Exchange server, then if you are using
NetBios as part of the peering [I don't know about Active Directory]
then you will find that the other end will have problems reaching you
because the other end will learn the private IP address through NetBios
and try to contact that private address instead of the public address.
This is an issue any time Netbios information is being shared between
sites, including for NT Domain Login purposes. You either have to use
a VPN between the sites so that the private IP addresses become
internally routable, or else you have to use fixed static IP addresses
internally.

If you are faced with the above situation, or if there are other good
reasons why you cannot renumber your systems to private IP addresses,
then you have a configuration challenge. The PIX can NEVER be configured
to have the same IP subnet on different interfaces, and the PIX cannot
be configured as a transparent bridge (just filtering the data as it
goes by.) If you must use public IP addresses internally, then
you have to arrange so that your inside interface is not on the
same public IP subnet as your outside interface is. You either need
to use more than one public IP subnet (probably not an immediate
option for you) or else you have to "cheat" a bit by putting in
an inside router carefully configured with a good understanding
of how routers find hosts.
--
csh is bad drugs.

sorry I was just hiding the real address as we dont have a firewall yet
(hehe) but the subnet mask is 255.255.255.248, and lets say the outside
address is 214.42.167.216
"Mike" <> wrote in message
news:...
> dances wrote:
> > Hi can someone help me please, I have been set the task to configure a
> > firewall at the company I work for because they are too tight to get a
Cisco
> > engineer in.
> > I have read as much as I can on the set up and think I have the basics,
the
> > problem is however our ISP router has a outside address of 00.00.00.216
and
> > the gateway is 00.00.00.222 the address between are the ones we can use,
my
> > question is which address would I use for the firewall, at the moment
our
> > exchange 2000 is using the 217 address,and a internal address, so do I
give
> > the outside address of the firewall the 217? or is there a way to use
all
> > the address range from 217 to 221?
> > I know this is easy stuff for someone who knows what they are doing.
Thanks
> > for any help in advance.
> >
> >
> You might want to double-check those addresses. 00.00.00.xx is not a
> valid ip address. Also, can you provide the subnet mask? Then we can
> go from there.
>
> Thanks!
>
> -Mike
>

Thanks Walter
I'll let you know how I go on, back to work Monday
"Walter Roberson" <-cnrc.gc.ca> wrote in message
news:bt1j9f$b0s$...
> In article <voWIb.253$>,
> dances <> wrote:
> :Hi can someone help me please, I have been set the task to configure a
> :firewall at the company I work for because they are too tight to get a
Cisco
> :engineer in.
> :I have read as much as I can on the set up and think I have the basics,
the
> roblem is however our ISP router has a outside address of 00.00.00.216
and
> :the gateway is 00.00.00.222 the address between are the ones we can use,
my
> :question is which address would I use for the firewall, at the moment our
> :exchange 2000 is using the 217 address,and a internal address, so do I
give
> :the outside address of the firewall the 217? or is there a way to use all
> :the address range from 217 to 221?
>
> Are you doing peering with your Exchange server? If you are, you are
> going to have some difficulties with the configuration.
>
> If you are not doing peering with the Exchange server, then you
> can make the PIX outside address any of the addresses from 218 to 221.
> Once you have done that, it is easiest to use private IP addresses
> internally (i.e., you would renumber your Exchange server internally).
> To allow the exchange server to be reached from outside, you would
> then configure a static address translation. For example, if the new
> internal IP address was 10.0.0.217 you would configure
>
> names
> name 10.0.0.217 ExchangePrivate
> name 0.0.0.217 ExchangePublic
>
> static (inside, outside) ExchangeExchangePublic ExchangePrivate netmask
255.255.255.255
>
> You would then create an access-list that permitted the Exchange traffic
> and you would apply that access list to the outside interface:
>
> access-list out2in permit tcp any ExchangePublic eq smtp
> access-list out2in permit tcp any ExchangePublic eq https
> access-group out2in in interface outside
>
>
> If you are peering with the Exchange server, then if you are using
> NetBios as part of the peering [I don't know about Active Directory]
> then you will find that the other end will have problems reaching you
> because the other end will learn the private IP address through NetBios
> and try to contact that private address instead of the public address.
> This is an issue any time Netbios information is being shared between
> sites, including for NT Domain Login purposes. You either have to use
> a VPN between the sites so that the private IP addresses become
> internally routable, or else you have to use fixed static IP addresses
> internally.
>
> If you are faced with the above situation, or if there are other good
> reasons why you cannot renumber your systems to private IP addresses,
> then you have a configuration challenge. The PIX can NEVER be configured
> to have the same IP subnet on different interfaces, and the PIX cannot
> be configured as a transparent bridge (just filtering the data as it
> goes by.) If you must use public IP addresses internally, then
> you have to arrange so that your inside interface is not on the
> same public IP subnet as your outside interface is. You either need
> to use more than one public IP subnet (probably not an immediate
> option for you) or else you have to "cheat" a bit by putting in
> an inside router carefully configured with a good understanding
> of how routers find hosts.
> --
> csh is bad drugs.

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!